News Ticker

BBH Feature: 3 Steps You Must Take Today to Protect Your WordPress Website

Bad things happen to WordPress websites. Hackers get in, plug-ins conflict, servers crash. If your business relies on your WordPress website, here’s how to defend your website from the bad stuff that happens all the time.

how to protect your wordpress site

WordPress is a terrific platform, but there are a lot of bad things that can happen. You have to defend your website from hackers and every day mishaps.

Roughly 26% of all websites in the world are built on the very popular platform, WordPress.

WordPress is a content management system that’s relatively easy to set up and manage. There are thousands of templates that can be used to make great looking websites and blogs. This week, I taught a two-day beginning WordPress class. We covered a lot of material, and each student actually built a brand new website in class.

As easy as it is to build and manage a WordPress website, the downside is that it’s easy to leave yourself vulnerable.

If your business relies on your website to generate business, there are some very fundamental mistakes that most people make and don’t even realize it.

During class, we practiced all the cool things you can do with WordPress, but we spent a good portion of time discussing how website administrators need to protect themselves from the bad guys (hackers!) and random problems.

Three Ways to Protect Your WordPress Website

Here are my top three things everyone with a WordPress website must do today:

I) Change the Default Administrator

By default, most WordPress installations have a user id of “admin”. This is the first user id that is set up when you install WordPress, and most people just go with it.

Unfortunately, all the hackers know that too. If they know what your login id is, all they have to do is guess your password. It’s not much security, and I absolutely guarantee it that people are poking at your website right now trying to get in.

Furthermore, most blog posts are set up under the default administrator user id, or they’re all set up under another administrator id. By default, blog posts display the author’s user id and expose it to Google.

Even if you’ve never created a blog post, you probably still have a “Hello World” default blog that has been indexed by Google. I demonstrated to the class how I can usually get an admin user id on a WordPress installation in about 5 seconds, and they were shocked at how easy it is.

Here’s what you need to do to protect yourself:

1. If you still have an active administrator id called “admin”, create a brand new admin user id and call it something else, like admin-bob or admin-suzie. Give it a very strong password.
2. Create a second user id that has no more than Author or Editor level, and call it something else like bob or suzie. Give it a very strong password too.
3. Log out of the old admin user id, and log in as your new admin-bob or admin-suzie.
4. DELETE the original admin user id. WordPress will ask you what to do with all the content that admin owns. Assign it to a non-admin user id, like bob or suzie that you created before.
5. For all future blog posts, create them with whatever user id you want, but change the author to the lower-level ids. When you’re editing the post, click the “Screen Options” pull-down (upper right corner) and make sure “Authors” is check-boxed. Now you can change the author to any other user id on the site that you want as long as you’re an editor or administrator.

Now your real admin id won’t be exposed to the bad guys, and even if they manage to get in, they won’t have free reign to do serious damage to your site.

II) Set up a WordPress Backup Plug-in

I don’t know how many times I’ve looked at someone’s site that’s been hacked or had a plug-in conflict with something causing the site to go down. The first question I ask is, “Do you have a backup?”

Often I get, “Um, no I don’t think so.” I spoke to one person a year ago who has an e-commerce site that got hacked. They were down for over a week while their IT people scratched their heads trying to get it back online.

Yeesh. She lost a week’s worth of sales and probably a bunch of customers that just went somewhere else. Had she had a backup, they could have been back online within an hour, not a week.

Always install a good backup plug-in. I personally like to use Backup Buddy from iThemes. It’s been around for several years, and it’s rock solid.

Always back up your website before you ever install any plug-in or WordPress core updates, or do anything to make major changes to the site. You want to be able to get back to working order if something pukes.

Furthermore, you can set it up to automatically back the site up every night. Make sure the backups are stored off the web server in case something happens to the server or even the data center.

Backup Buddy will store your backups in a variety of places like Amazon S3 (which I use), Dropbox, or a bunch of other places. Set the database to be backed up EVERY night, and the full site to be backed up over the weekend.

Keep the last few full backups in case you need to go back a while.

III) Set up a WordPress Security Plug-in

Changing the admin user id is a great start, but there are a TON of vulnerabilities in WordPress. As I said earlier, I guarantee that someone’s poking your site right now, and you don’t know it.

Install iThemes Security Pro, and you’ll be able to “harden” the website from all but the most determined hackers. Turn on notifications, and you’ll be shocked at how often someone gets locked out who is trying to get in the front door from anywhere in the world.

There’s an awesome setting that is “Automatically ban anyone who tries to log in as Admin”. That’ll catch a whole bunch of them in the net for sure. Heh heh.

Another cool feature of the Pro version (they have a free version too, but spend the $80 – it’s the best insurance policy you’ll ever buy), you can change the standard login URL from “wp-admin” (which everyone knows) to something secret like, “mysecretdoor” or “youcantgetin” or anything you want.

If you do this, make SURE you don’t have it in a “Login” link at the footer of your website, or you’re just going to tell the bad guys where your secret door went.

I’ve been brute-force attacked multiple times, as have many of my client websites. That means that the bad guys launch a bunch of computers at your website all at once and try to kick the door in. iThemes Security Pro does a great job of keeping them at bay, and even has a network of known IP addresses that they prevent from getting to your site.

I could go on about how important it is to protect yourself, your business and your assets, and how to do it. But with these three basic steps, you’ll be doing yourself a world of good. You’ll sleep much better knowing that you’re protected from the bad guys and the bad stuff that happens.

(Disclosure: Links to merchants mentioned within this post may be using an affiliate link which means that – at zero cost to you – we might earn a commission if you buy something through that link. We never recommend anything we don’t personally use and find to be a valuable asset to our business.)

About Thomas Petty (46 Articles)
Thomas Petty teaches beginning and advanced digital marketing workshops to business owners who want to get found online. He is a popular blogger and speaker and has regular SEO training classes and updates at his company, the Bay Area Search Engine Academy. He holds a monthly series of free SEO and digital marketing webinars that are open to those who want to learn some online marketing techniques that they can implement right away.